Table of Contents
In this article, we’ll first discuss the challenging issue of scaling security testing for modern organizations, then explore actionable solutions for industrializing your penetration testing activities across multiple assets and entities.
Scaling cybersecurity is a central and necessary topic, for two main reasons.
Firstly, for obvious security imperatives. The digital landscape is no longer the same as it was a few years ago. Developments are numerous and updates frequent, interconnections are everywhere, and threats are proliferating faster than ever, both in number and form. Each of these points brings its own set of security issues to address, each more vital than the last in societies where the security of data and systems is a prime concern.
Then, there are compliance matters. To organize this vast undertaking, and force the hand of those who still doubt the pressing need for enhanced digital security, the European Union has produced a number of major laws on the subject — NIS2, the Cyber Resilience Act (CRA), the Digital Operational Resilience Act (DORA), and so on. Different pieces of legislation for a single message: cybersecurity will scale up in the UE, whether you like it or not.
Different Ways of Scaling for Different Areas of Cybersecurity
First of all, it’s important to understand that cybersecurity is not a uniform, monotonous block, but a multifaceted field. Even if we stick to the simple dichotomy between defensive and offensive security — Blue Team and Red Team —, the subjects are numerous and heterogeneous: attack detection, threat analysis, code security, cloud security, security testing, etc.
So there isn’t just one way of scaling cybersecurity, but several, each with its own challenges and solutions. The corollary of the previous point is that, if strengthening global digital security cannot be considered in a single piece, it must be approached through the particular prism of each of its sub-domains.
Scaling Security Testing
At Yogosha, there’s one thing we’re particularly passionate about — it’s even our job — and that’s security testing. If there’s a topic we can perhaps contribute to, it’s this one. Therefore, we won’t be exploring the question of scaling cybersecurity as a whole, but rather through the very specific lens of security testing, and more especially offensive testing.
Read also: What is Offensive Security? An introductory guide to OffSec
Indeed, faced with the injunction to audit more assets more often, a major question arises for the security managers of large organizations.
How can so many tests — eclectic ones at that — be carried out on so many assets and perimeters, across so many entities, repeatedly or continuously throughout the year? How to streamline the exercise, automate processes and centralize results? And above all, how can we do all this without blowing up the security budget?
Automated Tests More Easily Scalable
The automated nature of some security tests makes them more easily scalable, such as vulnerability scans and SAST tools (Static Application Security Testing). Here, security teams will face three main challenges:
- negotiating a budget sufficient to afford a range of tools, which are necessary but often expensive;
- understanding their organization’s attack surface and all its exposed assets, in order to avoid blind spots that might be potential entry points for malicious actors;
- properly calibrate the different automated tools, which again calls for in-depth knowledge of the organization’s attack surface, as well as technical skills and prior Cyber Threat Intelligence (CTI) work.
Read also: What is Attack Surface Management? (tools, strategy, guidelines)
The Difficulty of Scaling Human Intervention
But the challenge of scaling up is far more difficult when human intervention, often manual, comes into play:
- It is far more difficult to scale human expertise than automated solutions. Security professionals are a scarce resource, and all of them have only two hands and no desire to work around the clock.
- The costs of human intervention are recurrent. Unlike the acquisition of an automated solution, which can be expensive but remains one-off, the use of cybersecurity professionals means paying them every time, whether by salary or per-service billing. Moreover, the complexity of cybersecurity combined with the skills shortage means that these costs are usually high.
- The sidework — scoping meetings, documentation, vulnerability management… — is time-consuming and exponential to the number of tests carried out.
When it comes to scaling up, these issues are common to all human interventions in cybersecurity, including those related to penetration testing.
Pentesting is probably the most common offensive test used by organizations throughout the world, and is therefore the most important to consider. After all, the whole point is to strengthen and develop the overall level of security, so it’s with the most widespread methods that we should approach the subject of scaling security testing.
Read also: Penetration testing, why and how to conduct a pentest
Penetration Testing: the Limits of Traditional Approaches
Let’s face it: it’s unthinkable to carry out pentests “the old-fashioned way” for an entity wishing to multiply its testing activities, especially if it is regulated by stringent regulations such as NIS2 or DORA. It’s not so much the tests themselves that pose a problem, but everything that surrounds them.
Organizing a penetration test with a traditional service provider, usually an IT firm, involves cumbersome and time-consuming processes. Scoping, follow-up and debriefing meetings are time-consuming, actual testing rarely begins for three to six weeks, and results are communicated via outdated channels — who said anything about PDF?
And we’re talking here about a single pentest, so imagine how difficult it would be to do this for all tests, for all assets, across all entities… Not to mention the cost of traditional pentests, which alone would blow the entire security budget.
Read also: Pentest as a Service vs traditional pentesting, which differences?
A frequency no longer suited to today’s security challenges
Worse still, the sporadic nature of traditional penetration tests means that they are no longer suited to the security challenges faced by modern organizations. These tests are useful for identifying vulnerabilities at a given point in time, but they are by their very nature inadequate for dealing with the fluctuating nature of cyberthreats.
The digital ecosystem is dynamic, with new vulnerabilities emerging every day, and malicious actors constantly renewing their approaches. Point-in-time testing offers only limited visibility, exposing companies to the potential risks that can arise between tests.
Read also: Why It’s Time to Move on to Continuous Security Testing
For organizations with growing security needs, the answer lies elsewhere than in traditional approaches. We need to rethink the structure of our tools and processes. We need to be able to respond to hundreds of projects in Agile mode, to numerous weekly deliveries, to business imperatives, to data sovereignty considerations…
We need an approach to penetration testing that is flexible, scalable, streamlined and, if possible, continuous. In other words, we need Pentest as a Service (PtaaS).
Scaling through Pentest as a Service (PtaaS)
Pentest as a Service (PtaaS) is a solution for all organizations that need to carry out several dozen penetration tests a year, on multiple perimeters and entities. PtaaS as proposed by Yogosha differs from traditional approaches in two respects:
- Digitization and industrialization of pentesting, through a sovereign platform available as SaaS or Self-Hosted;
- Access to a unique skills pool, through a community of 800+ security researchers specialized in different types of assets and technologies.
I. Industrializing pentesting through digitalization
Digitizing pentesting through a platform provides the flexibility and speed required to scaling up security testing, allowing for:
- launching a pentest in less than a week (compared to three to six weeks with an IT firm);
- live reporting of vulnerabilities on our platform, without having to wait until the end of the test, enabling rapid remediation of the most critical vulnerabilities, and seamless integration of security testing into CI/CD pipelines;
- direct communication with security researchers for more agile and efficient testing;
- the segregation of tests (and roles) across multiple entities and business units, thanks to a system of programs and workspaces;
- the traceability of test activities thanks to the built-in VPN;
- the simplification and centralization of vulnerability management before, during and after testing, thanks to our Vulnerability Operations Center (VOC) and its various analytical dashboards;
- the integration with your ticketing and remediation tools via API or connectors (Jira, Slack, ServiceNow…);
- the industrialization of pentesting activities, with comprehensive yet modular offerings and a single contractual framework.
II. Finding the best experts and bridging the skills gap
Digitizing pentesting via a platform only addresses one of the challenges posed by scaling up security testing: industrializing tools and processes. But there is another major challenge for organizations: finding qualified experts to carry out the actual tests.
Recruit security professionals or outsource testing?
Organizations have two options when it comes to performing penetration tests.
1. In-house human resources. This option has many advantages, but unfortunately there is a worldwide shortage of cybersecurity talent. Forbes estimated that there were 3.5 million vacancies in the sector at the beginning of 2023, an increase of 350% in less than 10 years. Talent is therefore scarce and expensive, and not all entities can afford to have a decent team of pentesters.
2. Turn to a specialized service provider. This is the solution favored by many companies, who choose to outsource security testing to a service provider, usually an auditing firm. But a firm’s expertise is always limited to that of its own employees, and their numbers. Even the most talented pentester won’t be familiar with all types of assets and technologies – it’s impossible. When choosing the service provider who will carry out the tests, it is therefore essential to ensure that they have the in-house skills to match the specificities of the scope to be tested.
To address these two difficulties — recruiting qualified professionals, or making sure a service provider has the in-house skills you need — we offer a unique response: the Yogosha Strike Force.
The Yogosha Strike Force, a community of 800+ screened experts
The Yogosha Strike Force (YSF) is a private, selective community of over 800 international security researchers:
- Specialized in finding the most critical vulnerabilities by simulating sophisticated hacker attacks.
- Experts in multiple asset types — Web and Mobile Apps, IOT, Cloud, Networks, APIs, Infrastructure…
- Holders of recognized cybersecurity certifications — OSCP, OSEP, OSWE, OSEE, GXPN, GCPN, eWPTXv2, PNPT, CISSP…
We select only the most talented researchers: only 10% of applicants are accepted, after passing technical and redactional exams. Identity and background checks are also carried out.
Through the Yogosha Strike Force, organizations have access to:
- a large number of carefully selected international security experts;
- an unrivaled range of skills to best address all types of assets and technologies.
“Through Yogosha, we’ve managed to find talented people.” — Éric Vautier, CISO, Groupe ADP (Paris’ Airports)
Towards better management of in-house pentests
It goes without saying that calling in the experts from the Yogosha Strike Force is optional, especially if you already have competent professionals in-house. In this case, the challenge is not so much to find the right profiles, but rather to efficiently organize large numbers of in-house security tests, and then effectively manage their fallout — again, it’s about scaling up. Here, too, the Yogosha platform has a role to play.
Yogosha as a Pentest Management platform
Organizations with their own pentesters can invite them to join our platform, the Vulnerability Operations Center (VOC), to digitalize and streamline penetration testing.
Pentests are then organized by projects and entities, with role and access management, and reports are centralized in a single tool. Exchanges with pentesters can take place directly within the reports, while holistic views enable rapid assessment of risk exposure at micro (per perimeter) or macro (per entity) level. Vulnerability management is facilitated, from triage to remediation, thanks to connectors and webhooks with different tools — Jira, Slack, ServiceNow, etc.
Available as SaaS or Self-Hosted
Our platform can be deployed in different ways to meet the security requirements of all organizations, even the most sensitive.
The Yogosha platform is available :
- SaaS: a turnkey solution, hosted via 3DS Outscale and its SecNumCloud-certified sovereign cloud (the highest French security standard, established by the French CERT). Data is hosted on French soil.
- Self-Hosted: a solution designed for organizations with the most stringent security requirements. You’re free to host the Yogosha platform wherever you like – private cloud, on premise – to retain total control over your data and the execution context.
In both cases, the intrinsic robustness of our product is at the heart of our concerns. We continually secure our assets through a DevSecOps pipeline, OWASP guidelines, recurrent penetration testing and an ongoing bug bounty program. We are also in the process of obtaining ISO 27001 certification for our platform.
E-Book: Bug bounty, the ultimate guide to a successful program
Learn how to build your Bug Bounty program, make it attractive and leverage hackers to identify high-risk vulnerabilities.
Reconciling increased testing with security budgets
The multiplication of security tests also raises a number of financial issues. A traditional penetration test is expensive, costing between $10k and $35k according to Blaze. And we’re talking about a single test here, so imagine the bill for organizations required to carry out a myriad of audits every year, on different sensitive assets, across multiple entities. The bill is high enough to make any CISO or CFO shudder.
Scaling up security testing therefore represents a real economic challenge for organizations. How do you increase the number of security tests without blowing your cybersecurity budget? Here again, we’re rooting for our bread and butter with Pentest as a Service (PtaaS).
PtaaS: up to 96% higher ROI than traditional pentesting
From a financial point of view, PtaaS is generally more attractive than the traditional approach. Pricing is generally more attractive for companies, but it’s the disappearance of many hidden costs that makes all the difference — time-consuming triage, tedious vulnerability management, friction with Agile methodologies, and so on.
Since we’re not impartial on this matter, we refer you instead to an article by Tech Beacon, 4 hidden costs of pentesting. In it, we learn that the ROI of Pentest as a Service can be up to 96% higher than its historical counterpart.
Looking to industrialize your security testing on a large scale, with the right experts, on a one-off or ongoing basis? Request a demo of our Pentest as a Service (PtaaS) offering now.